5 Misconceptions Healthcare CIOs need to Address for Better Cyber Security

By Munawar Abadullah,CEO, ImpTrax Corporation
Twitter: @ImpTrax
Twitter: @MAbadullah

Cyber-crimes are at an all-time high and will continue to rise in popularity for as long as organisations adopt a passive approach to online security.

While some healthcare organisations look at cyber security as a “back burner”, the hacking industry is evolving to the point where anyone can become a successful hacker. An aspiring cyber-criminal can buy a full-fledged exploit kit for as little as $3,000. A kit like this does most of the work automatically—deploying various breaching tactics until it finds a vulnerability. The more experienced hackers are more creative in their approach, using social engineering, trickery, and other breaching technology to get hold of your data.

Most practices, hospitals and healthcare IT businesses need a clearer understanding of current security threats and vulnerabilities. Some organisations deploy general security countermeasures and move on, but this strategy is often ineffective because it typically fails to identify underlying vulnerabilities.

Cyber-security remains mired in mystery, and there are misconceptions about how hackers manage to breach supposedly secure environments. In reality, most high-profile security breaches are facilitated by gross employee negligence and could have been easily avoided by sticking to a simple yet effective “don’t do” list.

Here are five of the most alarming mistakes that healthcare organisations make when protecting their data:

1. We are a small Establishment. We have nothing to worry about.
Unfortunately, hackers look at small practices and hospitals as low hanging fruit. The average hacker will almost always prefer an easy target instead of spending months taking swings at something that is surrounded by firewalls. Large hospitals and financial institutions have invested heavily in improving their defense against malicious cyber-attacks, so hackers tend to target physician practices and healthcare IT businesses and frequently use them as an entry point to access high-profile targets. In fact last year, Security Scorecard a risk management cybersecurity firm that tracks cyber attacks on healthcare in the U.S, released an analysis concluding about 75 percent of all major healthcare providers had experienced malware infections that could cause them to lose data or money— and this number is expected to rise significantly in the next few years spurred by further adoption of cloud computing and the huge amount of information that is being stored online.

2. Our security team is great and runs a tight ship.
No matter how robust your security apparatus, it only takes a single non-technical employee to infect an entire network. Careless or poorly trained employees are the biggest vulnerability a security system could have. A big percent of security breaches last year were the result of an employee innocently downloading an infected file on their work computer or by falling for a phishing scam received via an infected email. Once a hacker has gained entry to a network, it’s fairly easy to use that person’s email/login details to infect all other PCs that share the same network.

It’s extremely important for healthcare management to train their employees on the best practices against cybersecurity threats. A proactive leadership should always put an emphasis on employee education prior to implementing an in-depth level of cyber-defense.

3. Everything is password protected, so what’s the big deal?
Relying solely on passwords for your organization’s security is a practice that’s been frowned upon by security experts for years. Computers can process huge amounts of data in a small amount of time, and a hacker can run more than 420 billion password combinations per minute. Brute force attacks, hybrid attacks and dictionary attacks are just a few of the various methods used by hackers to crack a password.

A strong password is a string of at least 20 characters. It should contain upper, lower and special characters with a decent amount of gibberish instead of real words as most password hacking scripts often use databases that contain the most popular words. In password theft, the biggest problem isn’t human error but the technology behind it. Security experts all agree that the best protection against password cracking is to deploy multi-factor authentication and to properly train employees on safe password habits.

4. Our employees would never fall for an obvious scam.
A popular misconception is that social engineering–the “art” of manipulating people into giving up confidential information–is restricted to small, obvious scams that involve stealing some housewife’s credit card details; False. Almost 30 percent of all security breaches have some form of social engineering at heart. In 2009, hackers posed as Coca-Cola’s CEO, persuading an important executive to open an infected email, and the malware ended up infiltrating the whole network. All it takes for a complex security chain to fall is one employee that accepts a scenario at face value.

A recent study shows that most breaches were successful because employees were unfamiliar with the organization’s security processes and policies rather than employees simply being careless. Organizations need to simplify security training and to provide a system that enables unambiguous identification. Other best practices include providing employees with a security checklist that is applicable to various situations and initiate them in the basics of social engineering and cyber security. It’s also important to encourage employees to report if they had done something accidental, so security teams can proactively check and stop the malicious activity quickly before it causes more damage.

5. We back up everything, so we can just restore operations.
Ransomware has been around for a couple of years now but has popped up in the mainstream media recently when Wannacry infected more than 230,000 computers in over 150 countries in a single day followed by a new stream of ransomware titled “Not Petya”. This malicious software encrypts the victims’ files with the threat of deleting them unless a ransom is paid. Superior ransomwares make use of a technique called cryptoviral extortion, which makes it impossible for anyone to recover the files or use the computer unless the decryption key is provided—even if backup is available. Organizations affected by this malware experience partial or even complete paralysis within operations while the attack is happening.

Fortunately, ransomware is much easier to prevent than to deal with an infection in progress. A first step would be to provide a fully updated ransomware solution across all organization endpoints. Security campaigns that promote awareness about the dangers of clicking on unknown links or email attachments are also a good idea. You can also apply pre-set rules that prevent employees from clicking on invalidated links or from running executables from attachments.

Also ensure all your software is patched or updated. It’s easy to overlook the importance of software updates. However, as vulnerabilities are discovered in software and they are not patched, they can be exploited by hackers. The recent WannaCry ransomware global attack is a prime example. Microsoft discovered the vulnerabilities and released Security Bulletin MS17-010 – Critical advisory almost two months before the attack. If organizations had patched the system they could have avoided such a global scale attack.

Hacking is a very real threat, and there are many ways for a hacker to breach an apparently secure environment—regardless of how well you’ve cordoned off organization’s networks. There’s no “cure-all” that will prevent every cyber breach from happening, but the best way to prevent and mitigate an infection is to take a community approach to preventative care, putting the responsibility of protecting the organization on every individual. CIO’s who prevent rather than fix will always lead a safer organization in the cyber world.